Hi Phil, Thanks for the quick reply.
I changed the setting to "no" and restarted sshd. (Apparently, "UseDNS yes" is the default for sshd on FreeBSD.) Also, I removed the hosts that were getting added from the workdir files as well as from /etc/hosts.deniedssh (according to the FAQ entry for removing IP addresses). After restarting denyhosts: So far, so good :-). Regards, Karel. Phil Schwartz wrote: > > Try changing your sshd_config file (typically in /etc/ssh/) from > > UseDNS yes > > to > > UseDNS no > > and restarting the ssh server. DenyHosts works best when sshd logs ip > addresses rather than hostnames. Other than that, I'm not too sure why > duplicates would be added, that certainly isn't normal behavior. I did > notice in the link you posted that user too had "UseDNS yes" so that may > be the culprit. Almost all DH users, AFAIK, have "UseDNS no". > > Regards, > > Phil > > > > > On Fri, 30 Oct 2009, Karel J. Bosschaart wrote: > >> Hi all, >> >> Since a while I'm using denyhosts 2.6 on FreeBSD 6.4, with python 2.6. >> >> It worked fine until at some point, after a couple of days, denyhosts >> triggers on almost any entry in /var/log/auth.log to add the same hosts >> to /etc/hosts.deniedssh over and over again. >> >> It seems very similar to the problems described here (also on FreeBSD): >> http://www.mail-archive.com/[email protected]/msg00623.html >> >> >> http://serverfault.com/questions/18770/how-can-i-prevent-denyhosts-from-adding-the-same-host-to-the-denied-file-over-and >> >> >> but no solution is provided there :-(. >> >> Example: following entry in /var/log/auth.log: >>> Oct 30 19:58:11 shell ftpd[66155]: FTP LOGIN FAILED FROM >>> 211.154.254.247, Administrator >> (happens to be an ftp attempt at the moment) >> triggers denyhosts to add new hosts: >>> 2009-10-30 19:58:16,098 - denyhosts : INFO new denied hosts: >>> ['lvps87-230-78-78.dedicated.hosteurope.de', 'ns1.kevinro.ro', >>> '11.232-136-217.adsl-static.isp.belgacom.be', >>> 'hsi-kbw-078-043-171-159.hsi4.kabel-badenwuerttemberg.de', >>> '77-20-157-105-dynip.superkabel.de', >>> '227.138-78-194.adsl-static.isp.belgacom.be', >>> '158.3-66-87.adsl-static.isp.belgacom.be', >>> 'lvps87-230-78-177.dedicated.hosteurope.de'] >> while those hosts are already in /etc/hosts.deniedssh. In fact they're >> not even in the current /var/log/auth.log as they are rotated away >> already, so for some reason denyhosts must get them from the workdir. >> BTW, in the workdir all hosts are listed in the hosts file correctly >> only one time. >> >> As a result, my /etc/hosts.deniedssh now contains 13652 entries, but >> only 517 of them are unique: >> >> grep -v DenyHosts /etc/hosts.deniedssh | wc -l >> 13652 >> grep -v DenyHosts /etc/hosts.deniedssh | sort -u | wc -l >> 517 >> >> I hope someone has an idea where to look further. The startup log is >> provided below (admin email address scrambled on purpose). >> >> Regards, >> Karel. >> >> >>> 2009-10-30 19:51:04,512 - denyhosts : INFO DenyHosts daemon is >>> shutting down >>> 2009-10-30 19:51:15,837 - denyhosts : INFO DenyHosts launched >>> with the following args: >>> 2009-10-30 19:51:15,990 - denyhosts : INFO >>> /usr/local/bin/denyhosts.py --purge --config >>> /usr/local/etc/denyhosts.conf --daemon >>> 2009-10-30 19:51:15,993 - prefs : INFO DenyHosts >>> configuration settings: >>> 2009-10-30 19:51:15,995 - prefs : INFO ADMIN_EMAIL: >>> [...@***.**] >>> 2009-10-30 19:51:15,998 - prefs : INFO >>> AGE_RESET_INVALID: [864000] >>> 2009-10-30 19:51:16,000 - prefs : INFO >>> AGE_RESET_RESTRICTED: [2160000] >>> 2009-10-30 19:51:16,003 - prefs : INFO AGE_RESET_ROOT: >>> [2160000] >>> 2009-10-30 19:51:16,005 - prefs : INFO AGE_RESET_VALID: >>> [432000] >>> 2009-10-30 19:51:16,008 - prefs : INFO >>> ALLOWED_HOSTS_HOSTNAME_LOOKUP: [no] >>> 2009-10-30 19:51:16,010 - prefs : INFO BLOCK_SERVICE: >>> [None] >>> 2009-10-30 19:51:16,013 - prefs : INFO DAEMON_LOG: >>> [/var/log/denyhosts] >>> 2009-10-30 19:51:16,015 - prefs : INFO >>> DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: >>> %(levelname)-8s %(message)s] >>> 2009-10-30 19:51:16,019 - prefs : INFO >>> DAEMON_LOG_TIME_FORMAT: [None] >>> 2009-10-30 19:51:16,022 - prefs : INFO DAEMON_PURGE: [3600] >>> 2009-10-30 19:51:16,024 - prefs : INFO DAEMON_SLEEP: [30] >>> 2009-10-30 19:51:16,027 - prefs : INFO >>> DENY_THRESHOLD_INVALID: [5] >>> 2009-10-30 19:51:16,029 - prefs : INFO >>> DENY_THRESHOLD_RESTRICTED: [1] >>> 2009-10-30 19:51:16,032 - prefs : INFO >>> DENY_THRESHOLD_ROOT: [1] >>> 2009-10-30 19:51:16,034 - prefs : INFO >>> DENY_THRESHOLD_VALID: [10] >>> 2009-10-30 19:51:16,037 - prefs : INFO >>> FAILED_ENTRY_REGEX: [None] >>> 2009-10-30 19:51:16,039 - prefs : INFO >>> FAILED_ENTRY_REGEX2: [None] >>> 2009-10-30 19:51:16,042 - prefs : INFO >>> FAILED_ENTRY_REGEX3: [None] >>> 2009-10-30 19:51:16,044 - prefs : INFO >>> FAILED_ENTRY_REGEX4: [None] >>> 2009-10-30 19:51:16,047 - prefs : INFO >>> FAILED_ENTRY_REGEX5: [None] >>> 2009-10-30 19:51:16,049 - prefs : INFO >>> FAILED_ENTRY_REGEX6: [None] >>> 2009-10-30 19:51:16,052 - prefs : INFO >>> FAILED_ENTRY_REGEX7: [None] >>> 2009-10-30 19:51:16,054 - prefs : INFO HOSTNAME_LOOKUP: >>> [NO] >>> 2009-10-30 19:51:16,057 - prefs : INFO HOSTS_DENY: >>> [/etc/hosts.deniedssh] >>> 2009-10-30 19:51:16,059 - prefs : INFO LOCK_FILE: >>> [/var/run/denyhosts.pid] >>> 2009-10-30 19:51:16,062 - prefs : INFO PLUGIN_DENY: [None] >>> 2009-10-30 19:51:16,064 - prefs : INFO PLUGIN_PURGE: [None] >>> 2009-10-30 19:51:16,067 - prefs : INFO PURGE_DENY: [172800] >>> 2009-10-30 19:51:16,069 - prefs : INFO PURGE_THRESHOLD: [2] >>> 2009-10-30 19:51:16,072 - prefs : INFO RESET_ON_SUCCESS: >>> [no] >>> 2009-10-30 19:51:16,075 - prefs : INFO SECURE_LOG: >>> [/var/log/auth.log] >>> 2009-10-30 19:51:16,077 - prefs : INFO SMTP_DATE_FORMAT: >>> [%a, %d %b %Y %H:%M:%S %z] >>> 2009-10-30 19:51:16,080 - prefs : INFO SMTP_FROM: >>> [DenyHosts <*...@***.**>] >>> 2009-10-30 19:51:16,082 - prefs : INFO SMTP_HOST: >>> [localhost] >>> 2009-10-30 19:51:16,085 - prefs : INFO SMTP_PASSWORD: >>> [None] >>> 2009-10-30 19:51:16,087 - prefs : INFO SMTP_PORT: [25] >>> 2009-10-30 19:51:16,090 - prefs : INFO SMTP_SUBJECT: >>> [DenyHosts Report] >>> 2009-10-30 19:51:16,092 - prefs : INFO SMTP_USERNAME: >>> [None] >>> 2009-10-30 19:51:16,095 - prefs : INFO >>> SSHD_FORMAT_REGEX: [None] >>> 2009-10-30 19:51:16,097 - prefs : INFO >>> SUCCESSFUL_ENTRY_REGEX: [None] >>> 2009-10-30 19:51:16,100 - prefs : INFO >>> SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES] >>> 2009-10-30 19:51:16,102 - prefs : INFO SYNC_DOWNLOAD: [yes] >>> 2009-10-30 19:51:16,105 - prefs : INFO >>> SYNC_DOWNLOAD_RESILIENCY: [18000] >>> 2009-10-30 19:51:16,107 - prefs : INFO >>> SYNC_DOWNLOAD_THRESHOLD: [3] >>> 2009-10-30 19:51:16,110 - prefs : INFO SYNC_INTERVAL: >>> [3600] >>> 2009-10-30 19:51:16,112 - prefs : INFO SYNC_SERVER: [None] >>> 2009-10-30 19:51:16,115 - prefs : INFO SYNC_UPLOAD: [yes] >>> 2009-10-30 19:51:16,117 - prefs : INFO SYSLOG_REPORT: [no] >>> 2009-10-30 19:51:16,120 - prefs : INFO >>> USERDEF_FAILED_ENTRY_REGEX: [authentication error for (?P<user>.*) >>> .*from (?P<host>.*)] >>> 2009-10-30 19:51:16,122 - prefs : INFO WORK_DIR: >>> [/usr/local/share/denyhosts/data] >>> 2009-10-30 19:51:16,160 - denyhosts : INFO restricted: set([]) >>> 2009-10-30 19:51:19,021 - denyhosts : INFO Processing log file >>> (/var/log/auth.log) from offset (109206) >>> 2009-10-30 19:51:23,779 - denyhosts : INFO new denied hosts: >>> ['lvps87-230-78-78.dedicated.hosteurope.de', 'ns1.kevinro.ro', >>> '11.232-136-217.adsl-static.isp.belgacom.be', >>> 'hsi-kbw-078-043-171-159.hsi4.kabel-badenwuerttemberg.de', >>> '77-20-157-105-dynip.superkabel.de', >>> '227.138-78-194.adsl-static.isp.belgacom.be', >>> '158.3-66-87.adsl-static.isp.belgacom.be', >>> 'lvps87-230-78-177.dedicated.hosteurope.de'] >>> 2009-10-30 19:51:24,344 - denyhosts : INFO launching DenyHosts >>> daemon (version 2.6)... >>> 2009-10-30 19:51:24,417 - denyhosts : INFO DenyHosts daemon is >>> now running, pid: 62926 >>> 2009-10-30 19:51:24,427 - denyhosts : INFO send daemon process >>> a TERM signal to terminate cleanly >>> 2009-10-30 19:51:24,430 - denyhosts : INFO eg. kill -TERM 62926 >>> 2009-10-30 19:51:24,442 - denyhosts : INFO monitoring log: >>> /var/log/auth.log >>> 2009-10-30 19:51:24,560 - denyhosts : INFO sync_time: 3600 >>> 2009-10-30 19:51:24,700 - denyhosts : INFO daemon_purge: 3600 >>> 2009-10-30 19:51:24,706 - denyhosts : INFO daemon_sleep: 30 >>> 2009-10-30 19:51:24,713 - denyhosts : INFO purge_sleep_ratio: 120 >>> 2009-10-30 19:51:24,723 - denyhosts : INFO denyhosts >>> synchronization disabled >> >> >> >> ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
